analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

21062674729.xls

Full analysis: https://app.any.run/tasks/6ef80a62-342d-4586-af97-95fb799f7fbf
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 01:15:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
trojan
maldoc-42
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Sep 29 12:36:11 2020, Security: 0
MD5:

A516A704B75E1880ADF73102C6C08B90

SHA1:

48871A261AE0866E7933BE6D073EA5528CDE0BA5

SHA256:

A2DEA167E548888D930BEF59056B4F095CEE8BF9355839692E307523E5D34AF8

SSDEEP:

1536:j/7uDphYHceXVhca+fMHLtyeGxcl8/dgKD6yzsFyBCKHtfBE:j/7uDphYHceXVhca+fMHLtyeGxcl8/ds

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 1500)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1500)

    • Downloads executable files with a strange extension

      • EXCEL.EXE (PID: 1500)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 1500)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2006:09:16 00:00:00
ModifyDate: 2020:09:29 11:36:11
Security: None
CodePage: Windows Cyrillic
AppVersion: 14
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • DocuSign®
  • Лист1
  • Лист2
  • Лист3
HeadingPairs:
  • Листы
  • 3
  • Макросы Excel 4.0
  • 1
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe feryrtc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1500"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2280"C:\Asuses\gramyuta\Feryrtc.exe" C:\Asuses\gramyuta\Feryrtc.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
559
Read events
507
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1500EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA5A7.tmp.cvr
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1500
EXCEL.EXE
GET
200
41.185.103.105:80
http://www.designerconceptsonline.co.za/vauwvgmkcuw/88888.png
ZA
executable
231 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1500
EXCEL.EXE
41.185.103.105:80
www.designerconceptsonline.co.za
webafrica
ZA
malicious

DNS requests

Domain
IP
Reputation
www.designerconceptsonline.co.za
  • 41.185.103.105
malicious

Threats

PID
Process
Class
Message
1500
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1500
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
1500
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
1500
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
1500
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
1500
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
21062674729.xls